Breaches within the Sony’s and Epsilon’s networks in recent months has shone a light on a very real concern in the Age of Stolen Information. The government believes that more legislation and regulation will solve the security problems that plague our interconnected networks and systems.

But rules dictated by government fiat always lags far behind technological advances and creates a “security by compliance” culture. So what is the solution?

In my opinion, additional Federal legislation on the subject of information security breaches is unnecessary. Currently there are multiple industry regulatory regimes that cover information security best practices. At a high level here are a few:

National Institute of Standards and Technology (NIST) Computer Security Division (800 Series) which applies across all industries.

Legislation will not address enterprise security problems. However, if you look at what caused the PSN security breach, there were multiple issues that lead to the compromise. The chief cause appears to be that Sony was lax about routine maintenance of the infrastructure and the complete lack of internal and external communication. This includes:

Server patching and hardening

Monitoring the network and servers for suspicious activity

Disjointed or missing breach response procedures

Lack of security leadership in the organization

Lack of breach communication plan

Government Regulations at Work.

The best way to minimize the risk of a breach for an organization is to stay on top of standard maintenance and monitoring procedures. Keep the organizations servers patched and make sure they are hardened before putting them on the production network.

Ensure there is a security breach response plan that has been tested and communicated to the highest levels of the company. Have a single point of contact that directs communication regarding the breach to the appropriate parties. Also, ensure that the breach plan includes a robust communication plan for potentially effected customers.

Finally, there is always going to be a risk for a security breach or data loss. Systems and software are designed by humans and there will be flaws that can be exploited. Plus, social engineering will always provide a path to compromising the most secure systems due to the fallibility of the human element. Legislation will not address these factors.

Security practitioners understand that there is always a risk for a security breach. Therefore, risk assessment and risk management are a key component of a security professional’s job. Identify the most critical systems and data and implement the most robust safeguards around them. Focus monitoring efforts on these critical areas and ensure the organization’s senior leadership understands the risks, mitigation strategies and internal/external communication plans.

In my experience, compliance with multiple frameworks and regulations creates a belief in security by compliance. Organizational leadership buys into the mindset that if they have all the check-boxes marked, then they are secure and additional policies, programs and monitoring are wasted efforts. This is a critical mistake in an age when your adversaries can turn on a time and exploit your inflexibility.